VPN plus lisens
Access-list inside-in checks only connections going from inside to dmz or to outside interfaces.
Abd do not work for trafic going from outside ot dmz.
for example from host located in inside:
only 1 rule in acl located on inside int.
permit host 10.1.1.1 184.108.40.206 3389
telnet 220.127.116.11 4899
refused by remoute host or unreacheble.
telnet 18.104.22.168 3389
that is ok.
-=also static NAT rule from inside to outside=-
-=10.1.1.1 to 22.214.171.124 =-
but from host located in outside
telnet 126.96.36.199 3389
telnet 188.8.131.52 4899
that is not ok! becouse ther is no access rule which permits that session from outside to inside.
i see matches only to access list on outside interface.
to close seesions to inside what can i do?
exept changing access list permit ip any any on outside interface?
ive read this:
1. A TCP SYN packet arrives at the PIX Firewall to establish a new connection.
2. The PIX Firewall checks the access control list (ACL) database to determine if the connection is permitted.
3. The PIX Firewall creates a new entry in the connection database (XLATE and CONN tables).
4. The PIX Firewall checks the Inspections database to determine if the connection requires application-level inspection.
5. After the application inspection function completes any required operations for the packet, the PIX Firewall forwards the packet to the destination system.
6. The destination system responds to the initial request.
7. The PIX Firewall receives the reply packet, looks up the connection in the connection database, and forwards the packet because it belongs to an established session.
is that means that if packet permited on 1 acl it will be permited on all othaer acl's???
I think you are missing the "statefull-ness" part of a firewall. When you have an ACL applied to an interface and one is initiating a connection behind that interface, if the ACL allows it then a connection is created. Return traffic for that connection that is coming from the outside will not be checked against the outside interface ACL because we have existing connections for it already.
Now if you want to block outside people from coming to your inside (connections initiated from the outside) you NEED an ACL on the outside. Inside ACLs do not apply to the inbound (outside initiated) connections. So to block outsiders from going to port 3389 you need to block them on the outside interface. I would suggest a "deny" for traffic destined to the internal hosts on the ports you want to block, above your permit any any if you don't want to block more than that.
Rate helpful posts.